Policy Library

Congress bundles a library of useful policies to help users get started.

For example, the library/volume_encryption/servers_unencrypted_volume.yaml
identifies and warns on servers with unencrypted volumes attached.

---name:VolumeEncryptiondescription:"Warn/error on servers with unencrypted volumes attached."depends-on:-SecurityGroupsrules:-rule:>servers_with_unencrypted_volume(server_id,server_name,volume_id,volume_name):-nova:servers(id=server_id,name=server_name),cinder:attachments(volume_id=volume_id,server_id=server_id),cinder:volumes(id=volume_id,name=volume_name,encrypted=False)-comment:"Warn on servers with unencrypted volume."rule:>warning(server_id,server_name,volume_id,volume_name):-servers_with_unencrypted_volume(server_id,server_name,volume_id,volume_name)-comment:"Servers with unencrypted volume, which is also not covered byaprotectedsecuritygroup."rule:>unprotected_servers_with_unencrypted_volume(server_id,server_name,volume_id,volume_name):-servers_with_unencrypted_volume(server_id,server_name,volume_id,volume_name),SecurityGroups:unprotected_servers(server_id)-comment:"Error on servers with unencrypted volume, which is also not covered byaprotectedsecuritygroup."rule:>error(server_id,server_name,volume_id,volume_name):-unprotected_servers_with_unencrypted_volume(server_id,server_name,volume_id,volume_name)